Smart cards—cards with embedded integrated circuits that can process information—offer a number of features that provide or enhance privacy protection in an access-control system. Check out the following:
- Authentication. Smart cards provide ways to authenticate others who want to gain access to the card. These mechanisms can be used to validate users, devices, or applications wishing to use the data on the card's chip. These features can protect privacy by ensuring that a banking application has been authenticated as having the appropriate access rights before accessing financial data or functions on the card, for example.
- Secure data storage. Smart cards provide a way to securely store data on the card. This data can only be accessed through the smart-card operating system by those with proper access rights. This feature can be utilized by a system to enhance privacy by storing personal user data on the card rather than in a central database, for example. In this situation, the user has better knowledge and control of when their personal data is being granted access—and who is involved.
- Encryption. Smart cards provide a robust set of encryption capabilities, including key generation, secure key storage, hashing, and digital signing. These capabilities can be used to protect privacy in many ways. For example, a smart-card system can produce a digital signature for an e-mail message, providing a way to validate the e-mail's authenticity. This protects the message from being tampered with, and also provides the recipient with assurance about origination. The fact that the signing key originated from a smart card adds credibility to the origin and the intent of the signer.
- Strong device security. Smart-card technology is extremely difficult to duplicate or forge, and has built-in tamper resistance. Smart-card chips include a variety of hardware and software capabilities that detect and react to tampering attempts, and help counter possible attacks.
- Secure communications. Smart cards provide secure communication between the card and reader. Similar to security protocols used in many networks, this feature allows smart cards to send and receive data in a secure, private manner.
- Biometrics. Smart cards provide ways to securely store biometric templates and perform biometric matching functions. These features can be used to improve privacy in systems that use biometrics. For example, storing fingerprint templates on smart cards rather than in a central database can be an effective way to increase privacy in a single sign-on system that uses fingerprint biometrics as the single sign-on credential.
- Personal device. A smart card is, of course, a personal and portable device associated with a particular cardholder. The smart-card plastic is often personalized, providing an even stronger binding to the cardholder. These features, while somewhat obvious, can be leveraged to improve privacy. For example, a healthcare application might elect to store prescription information on the card vs. on paper to improve the accuracy and privacy of patient prescriptions.
The Princeton Junction, NJ-based Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use, and widespread application of smart-card technology.
